Skip to content

JS: Accept MaD sanitizers for queries with MaD sinks #21336

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
owen-mc wants to merge 3 commits into
base: main
Choose a base branch
from
+70 −8
Open

JS: Accept MaD sanitizers for queries with MaD sinks #21336

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
61e8f91
Accept MaD sanitizers for queries with MaD sinks
owen-mc Jan 30, 2026
b8f9dd9
Revert "javascript: add MaD model"
owen-mc Feb 17, 2026
05f9b41
Revert "javascript: remove sanitizer to be replaced by model"
owen-mc Feb 17, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 0 additions & 6 deletions javascript/ql/lib/semmle/javascript/frameworks/NodeJSLib.model.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,9 +8,3 @@ extensions:
- ['global', 'Member[process].Member[stdin].Member[on,addListener].WithStringArgument[0=data].Argument[1].Parameter[0]', 'stdin']
- ['readline', 'Member[createInterface].ReturnValue.Member[question].Argument[1].Parameter[0]', 'stdin']
- ['readline', 'Member[createInterface].ReturnValue.Member[on,addListener].WithStringArgument[0=line].Argument[1].Parameter[0]', 'stdin']

- addsTo:
pack: codeql/javascript-all
extensible: barrierModel
data:
- ['global', 'Member[encodeURIComponent,encodeURI].ReturnValue', 'request-forgery']
4 changes: 4 additions & 0 deletions javascript/ql/lib/semmle/javascript/security/CorsPermissiveConfigurationCustomizations.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -82,4 +82,8 @@ module CorsPermissiveConfiguration {
)
}
}

private class SanitizerFromModel extends Sanitizer {
SanitizerFromModel() { ModelOutput::barrierNode(this, "cors-origin") }
}
}
4 changes: 4 additions & 0 deletions ...script/ql/lib/semmle/javascript/security/dataflow/ClientSideUrlRedirectCustomizations.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -270,4 +270,8 @@ module ClientSideUrlRedirect {
private class SinkFromModel extends Sink {
SinkFromModel() { ModelOutput::sinkNode(this, "url-redirection") }
}

private class SanitizerFromModel extends Sanitizer {
SanitizerFromModel() { ModelOutput::barrierNode(this, "url-redirection") }
}
}
4 changes: 4 additions & 0 deletions javascript/ql/lib/semmle/javascript/security/dataflow/CodeInjectionCustomizations.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -438,4 +438,8 @@ module CodeInjection {
private class SinkFromModel extends Sink {
SinkFromModel() { ModelOutput::sinkNode(this, "code-injection") }
}

private class SanitizerFromModel extends Sanitizer {
SanitizerFromModel() { ModelOutput::barrierNode(this, "code-injection") }
}
}
4 changes: 4 additions & 0 deletions javascript/ql/lib/semmle/javascript/security/dataflow/CommandInjectionCustomizations.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -58,4 +58,8 @@ module CommandInjection {
private class SinkFromModel extends Sink {
SinkFromModel() { ModelOutput::sinkNode(this, "command-injection") }
}

private class SanitizerFromModel extends Sanitizer {
SanitizerFromModel() { ModelOutput::barrierNode(this, "command-injection") }
}
}
4 changes: 4 additions & 0 deletions javascript/ql/lib/semmle/javascript/security/dataflow/DomBasedXssCustomizations.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -421,4 +421,8 @@ module DomBasedXss {
private class SinkFromModel extends Sink {
SinkFromModel() { ModelOutput::sinkNode(this, "html-injection") }
}

private class SanitizerFromModel extends Sanitizer {
SanitizerFromModel() { ModelOutput::barrierNode(this, "html-injection") }
}
}
10 changes: 10 additions & 0 deletions javascript/ql/lib/semmle/javascript/security/dataflow/HardcodedCredentialsCustomizations.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -44,4 +44,14 @@ module HardcodedCredentials {
not (super.getCredentialsKind() = "jwt key" and isTestFile(this.getFile()))
}
}

/**
* Note that a sanitizer with kind `credentials-key` will sanitize flow to
* all sinks, not just sinks with the same kind.
*/
private class CredentialSanitizerFromModel extends Sanitizer {
CredentialSanitizerFromModel() {
exists(string kind | ModelOutput::barrierNode(this, "credentials-" + kind))
}
}
}
10 changes: 8 additions & 2 deletions ...semmle/javascript/security/dataflow/IncompleteHtmlAttributeSanitizationCustomizations.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -101,7 +101,13 @@ module IncompleteHtmlAttributeSanitization {
}
}

private class SanitizerFromModel extends Sanitizer {
SanitizerFromModel() { ModelOutput::barrierNode(this, "request-forgery") }
/**
* An encoder for potentially malicious characters, as a sanitizer
* for incomplete HTML sanitization vulnerabilities.
*/
class EncodingSanitizer extends Sanitizer {
EncodingSanitizer() {
this = DataFlow::globalVarRef(["encodeURIComponent", "encodeURI"]).getACall()
}
}
}
4 changes: 4 additions & 0 deletions javascript/ql/lib/semmle/javascript/security/dataflow/LogInjectionQuery.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -88,3 +88,7 @@ class JsonStringifySanitizer extends Sanitizer {
private class SinkFromModel extends Sink {
SinkFromModel() { ModelOutput::sinkNode(this, "log-injection") }
}

private class SanitizerFromModel extends Sanitizer {
SanitizerFromModel() { ModelOutput::barrierNode(this, "log-injection") }
}
4 changes: 4 additions & 0 deletions javascript/ql/lib/semmle/javascript/security/dataflow/NosqlInjectionCustomizations.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,4 +47,8 @@ module NosqlInjection {

/** An expression interpreted as a NoSql query, viewed as a sink. */
class NosqlQuerySink extends Sink instanceof NoSql::Query { }

private class SanitizerFromModel extends Sanitizer {
SanitizerFromModel() { ModelOutput::barrierNode(this, "nosql-injection") }
}
}
4 changes: 4 additions & 0 deletions javascript/ql/lib/semmle/javascript/security/dataflow/ReflectedXssCustomizations.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -147,4 +147,8 @@ module ReflectedXss {
private class SinkFromModel extends Sink {
SinkFromModel() { ModelOutput::sinkNode(this, "html-injection") }
}

private class SanitizerFromModel extends Sanitizer {
SanitizerFromModel() { ModelOutput::barrierNode(this, "html-injection") }
}
}
4 changes: 4 additions & 0 deletions javascript/ql/lib/semmle/javascript/security/dataflow/RequestForgeryCustomizations.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -114,4 +114,8 @@ module RequestForgery {
class UriEncodingSanitizer extends Sanitizer instanceof Xss::Shared::UriEncodingSanitizer {
UriEncodingSanitizer() { this.encodesPathSeparators() }
}

private class SanitizerFromModel extends Sanitizer {
SanitizerFromModel() { ModelOutput::barrierNode(this, "request-forgery") }
}
}
4 changes: 4 additions & 0 deletions ...script/ql/lib/semmle/javascript/security/dataflow/ServerSideUrlRedirectCustomizations.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -66,4 +66,8 @@ module ServerSideUrlRedirect {
private class SinkFromModel extends Sink {
SinkFromModel() { ModelOutput::sinkNode(this, "url-redirection") }
}

private class SanitizerFromModel extends Sanitizer {
SanitizerFromModel() { ModelOutput::barrierNode(this, "url-redirection") }
}
}
4 changes: 4 additions & 0 deletions javascript/ql/lib/semmle/javascript/security/dataflow/SqlInjectionCustomizations.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -74,4 +74,8 @@ module SqlInjection {
)
}
}

private class SanitizerFromModel extends Sanitizer {
SanitizerFromModel() { ModelOutput::barrierNode(this, "sql-injection") }
}
}
4 changes: 4 additions & 0 deletions javascript/ql/lib/semmle/javascript/security/dataflow/TaintedPathCustomizations.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1124,4 +1124,8 @@ module TaintedPath {
private class SinkFromModel extends Sink {
SinkFromModel() { ModelOutput::sinkNode(this, "path-injection") }
}

private class SanitizerFromModel extends Sanitizer {
SanitizerFromModel() { ModelOutput::barrierNode(this, "path-injection") }
}
}
4 changes: 4 additions & 0 deletions ...script/ql/lib/semmle/javascript/security/dataflow/UnsafeDeserializationCustomizations.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -69,4 +69,8 @@ module UnsafeDeserialization {
private class SinkFromModel extends Sink {
SinkFromModel() { ModelOutput::sinkNode(this, "unsafe-deserialization") }
}

private class SanitizerFromModel extends Sanitizer {
SanitizerFromModel() { ModelOutput::barrierNode(this, "unsafe-deserialization") }
}
}